¿Son normales estas entradas de registro?

Navega tus respuestas
1

He notado un alto uso de la CPU y he notado que el usuario dinko tenía un alto uso de la CPU con el proceso sshd cuando escribí top .

El usuario dinko era solo un usuario aleatorio que creé y tenía una aplicación Ruby en ejecución.

Inmediatamente eliminé ese usuario y reinicié el servidor. Ahora está bien, pero me pregunto si hay algo sospechoso en este auth.log? 

Feb 22 10:43:07 host1 su[11859]: Successful su for host1 by root
Feb 22 10:43:07 host1 su[11859]: + ??? root:host1
Feb 22 10:43:07 host1 su[11859]: pam_unix(su:session): session opened for user host1 by (uid=0)
Feb 22 10:43:07 host1 su[11859]: pam_unix(su:session): session closed for user host1
Feb 22 10:44:01 host1 CRON[16191]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:44:01 host1 CRON[16191]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:44:53 host1 sshd[20291]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cm-84.209.49.43.getinternet.no  user=root
Feb 22 10:44:54 host1 sshd[20291]: Failed password for root from 84.209.49.43 port 53108 ssh2
Feb 22 10:45:01 host1 CRON[21063]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 22 10:45:01 host1 CRON[21064]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:45:01 host1 CRON[21064]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:45:01 host1 su[21144]: Successful su for postgres by root
Feb 22 10:45:01 host1 su[21144]: + ??? root:postgres
Feb 22 10:45:01 host1 su[21144]: pam_unix(su:session): session opened for user postgres by (uid=0)
Feb 22 10:45:01 host1 su[21144]: pam_unix(su:session): session closed for user postgres
Feb 22 10:45:02 host1 CRON[21063]: pam_unix(cron:session): session closed for user root
Feb 22 10:45:04 host1 sshd[20291]: message repeated 5 times: [ Failed password for root from 84.209.49.43 port 53108 ssh2]
Feb 22 10:45:04 host1 sshd[20291]: error: maximum authentication attempts exceeded for root from 84.209.49.43 port 53108 ssh2 [preauth]
Feb 22 10:45:04 host1 sshd[20291]: Disconnecting: Too many authentication failures for root [preauth]
Feb 22 10:45:04 host1 sshd[20291]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=cm-84.209.49.43.getinternet.no  user=root
Feb 22 10:45:04 host1 sshd[20291]: PAM service(sshd) ignoring max retries; 6 > 3
Feb 22 10:45:06 host1 sshd[16407]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.49  user=root
Feb 22 10:45:09 host1 sshd[16407]: Failed password for root from 116.31.116.49 port 26110 ssh2
Feb 22 10:45:13 host1 sshd[16407]: message repeated 2 times: [ Failed password for root from 116.31.116.49 port 26110 ssh2]
Feb 22 10:45:13 host1 sshd[16407]: Received disconnect from 116.31.116.49: 11:  [preauth]
Feb 22 10:45:13 host1 sshd[16407]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.49  user=root
Feb 22 10:46:01 host1 CRON[25863]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:46:01 host1 CRON[25863]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:46:35 host1 saslauthd[1891]: pam_unix(smtp:auth): check pass; user unknown
Feb 22 10:46:35 host1 saslauthd[1891]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
Feb 22 10:46:37 host1 saslauthd[1891]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Feb 22 10:46:37 host1 saslauthd[1891]: do_auth         : auth failure: [[email protected]] [service=smtp] [realm=brilliantstonegroup.com] [mech=pam] [reason=PAM auth error]
Feb 22 10:47:01 host1 CRON[30582]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:47:01 host1 CRON[30582]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:47:38 host1 sshd[32484]: Received disconnect from 221.194.47.249: 11:  [preauth]
Feb 22 10:48:01 host1 CRON[3033]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:48:01 host1 CRON[3033]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:48:05 host1 su[3582]: Successful su for projectslcp by root
Feb 22 10:48:05 host1 su[3582]: + ??? root:projectslcp
Feb 22 10:48:05 host1 su[3582]: pam_unix(su:session): session opened for user projectslcp by (uid=0)
Feb 22 10:48:05 host1 su[3582]: pam_unix(su:session): session closed for user projectslcp
Feb 22 10:48:06 host1 su[3588]: Successful su for host1 by root
Feb 22 10:48:06 host1 su[3588]: + ??? root:host1
Feb 22 10:48:06 host1 su[3588]: pam_unix(su:session): session opened for user host1 by (uid=0)
Feb 22 10:48:06 host1 su[3588]: pam_unix(su:session): session closed for user host1
Feb 22 10:48:12 host1 saslauthd[1887]: pam_unix(smtp:auth): check pass; user unknown
Feb 22 10:48:12 host1 saslauthd[1887]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
Feb 22 10:48:14 host1 saslauthd[1887]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Feb 22 10:48:14 host1 saslauthd[1887]: do_auth         : auth failure: [user=field] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Feb 22 10:49:01 host1 CRON[7956]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:49:01 host1 CRON[7956]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:50:01 host1 CRON[12776]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 22 10:50:01 host1 CRON[12777]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:50:01 host1 CRON[12777]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:50:01 host1 su[12875]: Successful su for postgres by root
Feb 22 10:50:01 host1 su[12875]: + ??? root:postgres
Feb 22 10:50:01 host1 su[12875]: pam_unix(su:session): session opened for user postgres by (uid=0)
Feb 22 10:50:01 host1 su[12875]: pam_unix(su:session): session closed for user postgres
Feb 22 10:50:02 host1 CRON[12776]: pam_unix(cron:session): session closed for user root
Feb 22 10:51:01 host1 CRON[17639]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:51:01 host1 CRON[17639]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:52:01 host1 CRON[22451]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:52:01 host1 CRON[22451]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:53:01 host1 CRON[27310]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:53:01 host1 CRON[27310]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:53:07 host1 su[27944]: Successful su for projectslcp by root
Feb 22 10:53:07 host1 su[27944]: + ??? root:projectslcp
Feb 22 10:53:07 host1 su[27944]: pam_unix(su:session): session opened for user projectslcp by (uid=0)
Feb 22 10:53:07 host1 su[27944]: pam_unix(su:session): session closed for user projectslcp
Feb 22 10:53:07 host1 su[27951]: Successful su for host1 by root
Feb 22 10:53:07 host1 su[27951]: + ??? root:host1
Feb 22 10:53:07 host1 su[27951]: pam_unix(su:session): session opened for user host1 by (uid=0)
Feb 22 10:53:07 host1 su[27951]: pam_unix(su:session): session closed for user host1
Feb 22 10:53:40 host1 sshd[24692]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.49  user=root
Feb 22 10:53:42 host1 sshd[24692]: Failed password for root from 116.31.116.49 port 46022 ssh2
Feb 22 10:53:47 host1 sshd[24692]: message repeated 2 times: [ Failed password for root from 116.31.116.49 port 46022 ssh2]
Feb 22 10:53:47 host1 sshd[24692]: Received disconnect from 116.31.116.49: 11:  [preauth]
Feb 22 10:53:47 host1 sshd[24692]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.49  user=root
Feb 22 10:54:01 host1 CRON[32201]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:54:01 host1 CRON[32201]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:55:01 host1 CRON[4705]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 22 10:55:01 host1 CRON[4706]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:55:01 host1 CRON[4706]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:55:02 host1 su[4849]: Successful su for postgres by root
Feb 22 10:55:02 host1 su[4849]: + ??? root:postgres
Feb 22 10:55:02 host1 su[4849]: pam_unix(su:session): session opened for user postgres by (uid=0)
Feb 22 10:55:02 host1 su[4849]: pam_unix(su:session): session closed for user postgres
Feb 22 10:55:02 host1 CRON[4705]: pam_unix(cron:session): session closed for user root
Feb 22 10:55:26 host1 saslauthd[1891]: pam_unix(smtp:auth): check pass; user unknown
Feb 22 10:55:26 host1 saslauthd[1891]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
Feb 22 10:55:28 host1 saslauthd[1891]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Feb 22 10:55:28 host1 saslauthd[1891]: do_auth         : auth failure: [user=float] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Feb 22 10:56:01 host1 CRON[9538]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:56:01 host1 CRON[9538]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:57:01 host1 CRON[14359]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:57:01 host1 CRON[14359]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:58:01 host1 CRON[19161]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:58:01 host1 CRON[19161]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:58:06 host1 su[19730]: Successful su for projectslcp by root
Feb 22 10:58:06 host1 su[19730]: + ??? root:projectslcp
Feb 22 10:58:06 host1 su[19730]: pam_unix(su:session): session opened for user projectslcp by (uid=0)
Feb 22 10:58:06 host1 su[19730]: pam_unix(su:session): session closed for user projectslcp
Feb 22 10:58:06 host1 su[19738]: Successful su for host1 by root
Feb 22 10:58:06 host1 su[19738]: + ??? root:host1
Feb 22 10:58:06 host1 su[19738]: pam_unix(su:session): session opened for user host1 by (uid=0)
Feb 22 10:58:06 host1 su[19738]: pam_unix(su:session): session closed for user host1
Feb 22 10:59:01 host1 CRON[24154]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:59:01 host1 CRON[24154]: pam_unix(cron:session): session closed for user dinko
Feb 22 11:00:01 host1 CRON[28995]: pam_unix(cron:session): session opened for user root by (uid=0)
    
pregunta Aleksandar Pavić 23.02.2017 - 09:22
fuente

3 respuestas

3

su y cron conformaron el 73% de su registro. Y no hay éxito de la conexión ssh.

su mensaje significa ejecutar la tarea cron solamente. Y cron haciendo solo trabajo cron. Entonces, creo que son normales. Si aún cree que son sospechosos, revise el trabajo cron.

Consulte:

enlace

https://drive.google.com/file/d/0B7ATpknBcvVQZ2tOdmpERUFMeDQ/view?usp=sharing

    
respondido por el Mr.kang 14.03.2017 - 11:16
fuente
1

No puedo ver nada que sugiera una interrupción, para cualquier máquina conectada a Internet habrá entradas como esta:

  

22 de febrero 10:53:42 host1 sshd [24692]: error de contraseña para root desde   116.31.116.49 puerto 46022 ssh2

Porque hay bots que solo buscan combinaciones predeterminadas de usuario y contraseña.

Las entradas similares a esta:

  

22 de febrero 10:58:06 host1 su [19738]: Su exitoso para host1 por root

Sucede cada vez que inicias sesión, lo que incluye cambiar a otro usuario, en este caso específico, el usuario "root" se convierte en el usuario "host1". Puede leer más sobre este tipo de entradas en esta pregunta de askubuntu .

Las técnicas de mitigación que publiqué aquí también son válidas para fortalecer su servidor SSH

    
respondido por el Purefan 23.02.2017 - 11:15
fuente
1

Los eventos que no son CRON muestran que está viendo algunos intentos de inicio de sesión de fuerza bruta (para SSH y parece SMTP), pero la otra actividad parece estar "bien", y lo más probable es que esté automatizada / en secuencia de comandos.

La mayor parte de la actividad de su es de raíz a una cuenta con privilegios menores (es decir, postgres, host1); esto no prueba necesariamente nada, pero sería inusual que un atacante obtuviera la raíz y luego buscara usar menos privilegiados. cuentas Pero inusual no es lo mismo que imposible, simplemente parece una forma extraña de ir si quisieras comprometer a un anfitrión.

Es posible que desee (como lo sugirió @Purefan) reforzar su configuración un poco (deshabilite los inicios de sesión de root, use la clave pública en lugar de (o también) las contraseñas), y tal vez quiera poner algunas reglas de auditoría en el lugar para tratar de proporcionar una mejor comprensión de las actividades que le preocupan. También puede valer la pena agregar fail2ban a su servidor.

A primera vista, aparte de reforzar la seguridad del servidor, no creo que vea nada que justifique una preocupación seria.

Dicho esto: si tienes la posibilidad de volver a crear una imagen de tu host, no tendré ninguna razón para no hacerlo, aunque solo sea para tratar de obtener algo de tranquilidad. Puede haber otras muestras de registro que muestren algo más preocupante (y, de hecho, puede haber ocurrido algo más preocupante sin dejar mucho rastro).

    
respondido por el iwaseatenbyagrue 14.03.2017 - 11:57
fuente

Lea otras preguntas en las etiquetas

¿Por qué los certificados de sitios web (como gmail.com) son emitidos por mi compañía? [duplicar] pregunta de elementos cibernéticos del firewall de límite